This paper is participating in theNetwork protocols must be known and must be known”Essay campaign
IPSec is a little bit difficult and you need to understand the logic and the framework and then it’s easy
Network siege lion eye fireworks!
@[TOC](IPSec VPN)
Configuration case
requirements
- Configure IP addresses, DHCP, routing, and NAT
- The Intranet can access the Internet 2.2.2.2
- Configure IPsec VPN
- PC1 can directly access PC2
- Packet capture verifies whether data is encrypted
The topology
configuration
Basic configuration
Qinghai branch IP address, DHCP, NAT, routing
Sys sys QH DHCP enable ACL 2000 rule permit so 192.168.10.0 0.0.0.255 int G0/0/0 IP add 192.168.10.254 24 DHCP sel int Int g0/0/1 IP add 12.0.0.1 24 NAT outbound 2000 IP route-s 0.0.0.0 0 12.0.0.2Copy the codeShanghai headquarters IP address, DHCP, NAT, and routing
Sys sys SH DHCP enable acl 2000 rule permit so 192.168.20.0 0.0.0.255 int G0/0/1 IP add 192.168.20.254 24 DHCP sel int Int g0/0/0 IP add 23.0.0.3 24 NAT outbound 2000 IP route-s 0.0.0.0 0 23.0.0.2Copy the codeISP public
Sys sys ISP int G0/0/0 IP add 12.0.0.2 24 int G0/0/1 IP add 23.0.0.2 24 int LO 2 IP add 2.2.2.2 32Copy the codePC1 
IPSec VPN configuration
Qinghai branch
Acl 3000 rule 5 permit IP source 192.168.10.0 0.0.0.255 destination 192.168.20.0 0.0.0.255 Ipsec proposal QH2SH ESP authentication-algorithm sha2-256 esp encryption-algorithm AES-256 Policy: Ipsec policy QH2SH 1 Manual security ACL 3000 proposal QH2SH tunnel local 12.0.0.1 tunnel remote 23.0.0.3 SA SPI inbound esp 12345 sa string-key inbound esp cipher huawei123 sa spi outbound esp 12345 sa string-key outbound esp cipher Huawei123 Call: ipsec policy QH2SHCopy the codeShanghai headquarters
Acl 3000 rule 5 permit IP source 192.168.20.0 0.0.0.255 destination 192.168.10.0 0.0.0.255 Ipsec proposal SH2QH ESP authentication-algorithm sha2-256 ESP encryption-algorithm AES-256 Ipsec policy SH2QH 1 manual security ACL 3000 proposal SH2QH tunnel local 23.0.0.3 tunnel remote 12.0.0.1 SA SPI inbound esp 12345 sa string-key inbound esp cipher huawei123 sa spi outbound esp 12345 sa string-key outbound esp cipher Huawei123 Call: ipsec policy SH2QHCopy the codeAfter the configuration, PC1 and PC2 can ping through the public network, but PC1 cannot ping through PC2.
The analysis reason
Cause: The NAT policy at the egress of the public network conflicts with the interested traffic of IPSec
Disable the NAT policy on the public interface
The solution
Change the interest flow on IPSec. 2. Change the NAT policy on the egress
Solution 1: Change the interest flow on IPSec
Qinghai branch
Acl number 3000 rule 5 permit IP source 12.0.0.1 0.0.0.255 destination192.168.20.0 0.0.0.255Copy the codeShanghai branch
Acl number 3000 rule 5 permit IP source 23.0.0.0 0.0.0.255 destination192.168.10.0 0.0.0.255Copy the code
Solution 1: Change the NAT policy on the egress
Qinghai branch
Acl 3001 rule deny IP source 192.168.10.0 0.0.0.255 destination 192.168.20.0 0.0.0.255 rule permit IP source anyCopy the codeShanghai branch
Acl 3001 rule deny IP source 192.168.20.0 0.0.0.255 destination 192.168.10.0 0.0.0.255 rule permit IP source anyCopy the codeRe-create ACL3001 and apply it to the public network egress
IPSec VPN
IPSec: Internet Protocol Security
• IPv6 • A security and privacy performance framework formulated by the IETF • Security guarantee mechanism built at the network layer • Multiple encryption algorithms, authentication algorithms, and key management mechanisms are introduced • IPSec also has disadvantages such as complex configuration, large computing resource consumption, increased latency, and no multicast support VPN is a VPN technology established using IPSec tunnels
Core Functions of IPSec
IPSec Technical Framework
IPSec Protocol
IPSec Encapsulation Mode
Security alliance
Security Association (SA)
• As the name implies, the communication parties form an alliance, trust each other intimately, that is, reach a contract • Uniquely identified by a triplet (SPI, IP destination address, security protocol number) • Determines what to do with the message: Mode, protocol, algorithm, key, and lifetime • Each IPSec SA is unidirectional. • The IPSec SA can be manually established or generated through IKE negotiation. • Security Policy Database (SPD) • Security Association (SAD) The Database)
IKE
IKE: Internet Key Exchange
• Application layer protocol based on UDP (port number 500) to provide required keys for data encryption • Use DH algorithm to distribute keys securely on insecure networks and authenticate identities • Update SA and keys periodically. Implements advanced security • Allows IPSec to provide anti-replay services • Simplifies the use and management of IPSec, greatly simplifying the configuration and maintenance of IPSec
IPSec configuration
Esp authentication-algorithm sha2-256 ESP encryption-algorithm aes-128 display ipsec proposal Indicates the authentication algorithm used by ESP. Configure the ESP encryption algorithm. Verify the IPSec proposal configuration.
Ipsec policy P1 10 Manual security ACL 3000 Create and configure an ipsec policy manually. Configure a referenced ACL.
Proposal Shanghai Configuration reference proposal.
Tunnel local 12.0.0.2 Tunnel remote 13.0.0.3 Configure the local address of the security tunnel. The peer ADDRESS of the security tunnel is specified. Configure the SPI of the SA.
Sa SPI inbound/ Outbound ESP 12345 The inbound and outbound directions must be set, and the inbound and outbound directions must correspond to each other.
Sa string-key Configures the sa authentication key.
Inbound /outbound ESP cipher Wakin The inbound and outbound directions must be set, and the inbound and outbound directions must correspond to each other.
Display ipsec policy Displays the configuration of an ipsec manual policy.
Ike proposal 10 Create and configure the Ike proposal.
Authentication-method pre-share authentication-algorithm sha2-256 encryption-algorithm aes-CBC-256 Sets the identity authentication mode. Configure the data authentication algorithm. Configure the encryption algorithm.
Dh group14 Configures the key exchange algorithm.
Display Ike proposal Verify the Ike proposal.
Ike Peer Shanghai v1 Creates and configures an Ike peer.
Exchange-mode main/ Aggressive pre-shared-key cipher huawei ike-proposal 10 Configure PSK. Configure the referenced IKE proposal.
Local-address 12.0.0.1 remote-address 23.0.0.3 Configures a local IP address. Set the peer IP address.
Ipsec policy P2 10 ISAKMP security ACL 3000 proposal 10 Create and configure an ipsec policy (automatically). Configure a referenced ACL. Configure the referenced IPSec proposal.
Ike-peer Shanghai Configures the referenced Ike peer.
Ipsec policy P1/P2 display Ike /ipsec SA Applies the specified ipsec policy group to the interface. Verify the SA.
Manual approach
